Host Intro (Gene Kim)

To introduce the next talk, I want to motivate why I asked this person here for us today. The person's name is Norman Marks, and I think he is one of the finest minds in auditing. He and I have known each other for about 15 years, and there was a project we got to work on together, and it was probably one of the most professionally exciting experiences I've had in my career.

To set the stage, it is 2005. The Sarbanes-Oxley Act was just passed in response to the massive fraud at WorldCom, Enron, and too many more. It was breathtaking legislation, but one of the unintended consequences was that it created so much work for IT, often driven by the external auditors. Computerworld said at the time that, according to CIOs, SOX was rated the biggest time waster ever. Someone put it very succinctly: this sucks, because Enron was not caused by an unauthorized database change.

So I got to be a part of this team at the Institute of Internal Auditors, where we worked with the heads of IT audit, the Big Four, the PCAOB, the Public Company Accounting Oversight Board, who audits the auditors, to see if we could create an endorsed set of scoping guidelines for IT audits. In other words, if a failure in an internal control cannot result in a material error in a financial statement, it should not even be in scope of the audit and therefore should not be audited.

To watch Norman in these scenarios, I can only characterize it as intellectual combat with the national practices at the Big Four. It was incredible to watch. It was one of the most incredible professional experiences that I've ever had, and I learned from that experience what it looks like to be able to change an industry.

So it was really important to me that Norman Marks give us his opinion on what Clarissa, Todd, and his team have been doing. After all, if it's crazy, it's better we find out now than later, before people get their auditor badges taken away.

He's always been a leader, both in business and audit, to help the organization win, and he's done most of it as an auditor. He was a chief audit executive at Maxtor Corporation, Business Objects, Solectron, Tosco. He held executive positions at SAP. Norman, I am so delighted and honored that you could join us today. Norman Marks.

Fireside Chat (Gene Kim and Norman Marks)

Gene Kim: Norman, this is the first time we've got to hang out in almost a decade. I'm so delighted that you're here. We were catching up backstage, and you actually told me some of your reactions and feelings watching some of these talks today. Before we begin, could you share some of what you told me?

Norman Marks: Absolutely. This is after he accused me of being a career auditor.

Gene Kim: Sorry.

Norman Marks: I'm all about helping the organization that I'm involved in succeed. What I heard today is a passion. What I heard today is that we're in the middle, some of you further along than others, in a revolution. A revolution that is going to change the way in which not only IT, but the whole organization, is going to be able to respond in this dynamic, disruptive climate that we're in.

This has been something which I've had a lot of passion about, even before I retired, which is some years ago now, and trying to help people become faster, more agile, more responsive to the needs of the organizations, to actually take more risk. In these days, this is what you're doing. You're actually taking more risk and failing fast. I heard that today. I thought, wonderful.

I heard you're breaking all the rules. Fantastic, because those are rules which are slowing us down and stopping us from being successful, and we've got to get past that. What I heard with Clarissa today and her partner, which is so wonderful to see, is a recognition that we are actually on the same side.

I think you'll find that if you give your auditors a chance, and I hope we will talk about that, they are going to not only be with you, but they'll help you. They'll actually break down some of the barriers that I know you are running into every day on your journey, because we also not only want to help the organization succeed, but we want to help you succeed.

What I told you today was that what I heard today makes me regret that I retired. It makes me regret that I left IT. I was a vice president in IT for a while before I went back into internal audit and then into risk management. It made me regret not being in a position to be part of a change like this, which is so exciting.

Gene Kim: That's so great. By the way, I just want to remind everyone that this is coming from someone who's held a position of chief audit executive, so it's delightful beyond words. Norman, let's talk about Clarissa and Todd's presentation. I can imagine auditors of certain backgrounds may have watched that presentation and would conclude that it's reckless, irresponsible, and maybe even immoral. Can you opine on their working relationship between audit and technology that isn't just not crazy sounding, but even consistent with great auditors and practices you've seen in your own career?

Norman Marks: Gene, there may be this misapprehension, and it's born out of what people have experienced. A great many people in management have had bad audits. When I was in IT, I had a bad audit. I've lived through the auditor coming in and telling me that all the things that I had listed as tasks in my information security product implementation were findings, and they were going to write me up for not doing anything about all of these tasks.

I said, but these are tasks I told you about. Yes, we haven't got them done yet. I said, should I be doing them faster with the resources that I've got? Have I prioritized it? Yes, you've done everything right, but we're still going to write you up.

There are still some people out there who are this traditional, gotcha kind of auditor. But most people today in the audit profession really, really want to be part of the success of the organization, and they are willing to adapt. That's why people are talking about lean auditing. They're talking about agile auditing in different ways, auditing with agility, which is so different from what people like Clarissa's company are talking about. It's not about sprints. It's about auditing at speed, just like you're trying to develop at speed.

The other thing is that when I was in IT with this bank, I saw them move to quarterly releases and I shuddered. I actually shuddered and said, why are you doing this? Have you talked to your customers? They are complaining to me, when I was in IT audit before I moved into IT and into management, about the backlog of all the things they needed to run the business not being done. Yet you're slowing everything down. Why are you doing this? To see all of you working to turn that on its head is just fantastic.

Gene Kim: By the way, you characterized an ideal auditor as an independent friend. Can you say a little more about that?

Norman Marks: One of the leaders in internal auditing is a gentleman called Richard Chambers. He was the president and CEO of the Institute of Internal Auditors, which you and I were both involved in, and he came out with essentially a bestseller, when you talk about internal auditor bestsellers, called The Trusted Advisor.

That's a concept which goes only so far. Recently I saw something about being an independent friend. That also doesn't really go far enough in my opinion, but it brings out the idea that the auditor has to be objective. They have to provide an independent opinion and assurance, but they also have to provide insight and advice to help the organization upgrade its processes, upgrade its services, what it's doing in terms of delivering value.

This idea recognizes that we are hopefully trying to do things together, and it's in both of our interests to work together as we saw within the previous session too. But we can still go further. We can still go an awful lot further.

Gene Kim: As we prepped for this, I was shocked by some of the stories that you told me about some phenomenal exemplar engagement models, specifically Chris Keller. Could you tell us about that and teach us what great could look like?

Norman Marks: Chris Keller is a rebel, just like many of you. He was with a little company called Apple, which is not really a traditional company by any stretch. He saw this whole idea of an audit report as being less than adding huge value, which I totally agree with. One of the things I've been writing about recently is, where is the value in an audit report? Aren't there better ways of communicating what we do in internal audit?

What Chris Keller did is he recognized that the greatest risk for Apple lay in their products, all their different products they were developing and maintaining and doing upgrades to. So what he did is he turned internal audit on its head and changed the entire methodology. He embedded auditors into every different product group, and their role was basically to be there as a consultant, as an advisor, making sure that management was going through an appropriate process to understand the risks in what they were doing, to not be taking too many chances, to develop products that were going to work, were going to be delivered on time, were going to have the functionality that the market needed.

They would work there and cohabit with the developers, with the product group, with the same objective of delivering excellence. If they found something that they didn't like, they would then immediately, not just twice a week, but twice a day, talk to management and have a discussion, agree upon the facts, agree upon what needed to be done. They found that actually everything was working throughout the cycle of the development.

If they ever did have a problem, Chris had direct access to the CEO.

Gene Kim: He was head of internal audit.

Norman Marks: He was head of internal audit. Yes. He was called the chief audit executive, and he reported to the audit committee of the board. Everything from a governance point of view was the same as everybody else, but he just realized that his job was to help make sure the company was doing the right thing, taking the right level of the right risks to succeed.

If one product CEO started doing things which he knew were in violation of what the board and the CEO wanted, he could just pick up the phone, talk to that vice president, and say, you know, you're doing something that the board doesn't want. Maybe we should sit down with the CEO. All of a sudden they started recognizing, yeah, this probably isn't the right thing to be doing.

His whole idea was help the organization succeed by doing the thing that is right for the business. Frankly, he didn't care about those standards that Clarissa mentioned, and frankly, this is not something that every auditor necessarily understands. This is why the internal audit professional standards are in the process of being changed to reflect the need to partner with management every day, every minute of every day, to make sure that things are going right, not to catch them out, but to help them on their journey.

Gene Kim: If I remember correctly, you said he never wrote an audit report?

Norman Marks: Gene, he never wrote an audit report. It's absolutely right. Frankly, on many of the projects that I did on my team, the professional standards recognize that there are times when you're just going in and doing an audit, maybe of accounts payable or sales contracting, and you want to make sure that senior management and the board understand whether things are going the way in which they should be going, and writing an audit report.

But a lot of our work, maybe 20, 30, 40, 50 percent of the work of my team, was actually where change was happening, where systems had been developed, where new methodologies were being implemented, not only in technology but also in the refining operations, for example. We would go in as consultants, and the only report we ever produced was to management, not to the board. We told the board that this is what we were doing, because the best way to make sure the risks are being taken appropriately is to prevent them from being taken inappropriately to start with.

Gene Kim: That's incredible. I'm going to ask you about your Circle K story, which is another mind-expanding example, but I feel like we should tell the twist in the story with Chris Keller, because eventually he changed roles.

Norman Marks: He changed roles. Unfortunately, what happened was the external auditors went to the audit committee and said, you don't really have an internal audit department. They're a risk function. Over his objections, the board said, okay, we'll set up a separate internal audit function to do more traditional things to satisfy the auditors. So Chris Keller was given the option of becoming more traditional, but he said, no, this is what I believe and what I'm doing. So he became the chief risk officer.

Gene Kim: Interesting. It's interesting that the guidance and the standards are changing as well. You told me another story that blew me away in terms of a time when audit was very much interacting with the technology group in a very unfamiliar, alien way. Could you tell us that story?

Norman Marks: He's talking about the convenience store.

Gene Kim: Exactly.

Norman Marks: The company I was with was a company called Tosco, which was close to a $50 billion oil refining and marketing company, mostly domestic in the United States. We owned about 6,000 convenience stores under the Circle K brand, some Exxon, some Mobil, mostly in the west and south, down into Florida.

They decided, from a business point of view, they really needed to upgrade everything in the convenience store. They went out and bought new software for each of the individual stores, new hardware for each individual store, and then they purchased a new central stores accounting system which would be operating out of our Phoenix headquarters. In the process, by the way, they also decided to acquire new identity access and a new test environment.

What they didn't realize was that the software for the stores was actually built for fashion boutiques in malls, not convenience stores. It was running on hardware that it had never been designed for, and the central store system that they purchased was not designed for this software.

We came along and said, first of all, I was fortunate. I hadn't told you this, Gene, but one of my recent hires was a techie, and he had experience with that access methodology, the IAM that was being used. He came and told me, they're doing it all wrong. I said, why are you telling me? Tell them. So he went in the department with them and helped them set it up properly, because he had the experience that our company did not.

Anyway, we found that they did not have the test environment in order where they could even come close to simulating the volume of 6,000 stores all trying to send data and receive data from the central store system.

Gene Kim: This is just like The Phoenix Project. This is terrible.

Norman Marks: So my team, which was two IT managers and a business auditor, understood IT. We could actually break down some of the barriers between IT and the user, because we would actually act like an interpreter sometimes between the different parties. My team came to me and told me that this is highly likely to fail, highly, highly likely to fail, and not really surprising. I encouraged them to go to the steering committee for the project, which is chaired by the CFO, CIO, and the different vice presidents of the business, and explain to them.

The project board fully understood what was going on. They looked at all the risks. They looked at the risk of going forward and failing. They looked at the risks of delaying. They were getting close to the fourth quarter, where they didn't want to implement. They were heavily reliant upon Arthur Andersen back then as consultants, who they might lose if they delayed. So they decided the greater risk was delaying versus going forward.

My team came back to me all dispirited, and I said, okay, what do you think we should do? They went away and came back and said, we think we can predict where it will fail. So why are you telling me? Go to management. They went and talked to the CEO and his team and told them where it's most likely to fail. Then they worked with management to put response teams and Band-Aids in place.

It went live. It failed multiple places, but it failed fast, and the Band-Aid was applied at speed. So it was actually a successful deployment.

Gene Kim: Awesome. A round of applause for that cool story. Thank you. Two questions that we need to cover in about three and a half minutes. What advice would you give to this community, who are often on the frontier of creating new ways of working that may look very alien, strange, and even dangerous to not just auditors but maybe everyone around them? What advice would you give?

Norman Marks: Realize that the auditor can be your friend. They want to help the organization succeed. If your organization, your CIO, and top management have done a good job of persuading the senior management of the organization and even the board that this is a change that's needed and why, your head internal auditor should be part of understanding that, will understand why you want to do it.

Bring in your internal auditor as a consultant and advisor, because they will be objective. They will break through any bias. They will break through any potential for authority to stop people from complaining about, this won't work. They will also be able to talk to your users and be a translator. They can help you. They can help you on your journey.

You're breaking the rules. Get the auditor to embrace that, which they usually will, and make sure that you have new rules in place which will work effectively to address the risks of any kind of damage to the business.

Trust me, the auditors I talk to, and I talk to a lot, they want to be part of a journey like this. They really want to, because they will be invigorated. They will be just as motivated as you are with your success.

Gene Kim: That is mind-expanding. I know you're retired now, but I know that you can be occasionally coaxed out of your period of quiet reflection and contemplation. Can you describe what projects you do these days?

Norman Marks: Gene, I only do small things because I don't want to get involved. I'm being asked to do some large projects, but I am trying to be mostly retired. I do mentoring and consulting for organizations. There are some people that will call me up and say, would you help us talk to our board? Will you help us talk to internal audit? For example, if you're having a problem persuading your internal auditor to work with you, bring me in. I'm considered by many to be one of the top influencers in the internal audit space, and so maybe my voice added to yours will bring them along a little bit and encourage them to break their walls, because their walls are not helping them do their business either.

Gene Kim: I think if I can just double down on that, Norman Marks, without doubt in my mind, is one of the best thinkers and doers in the audit profession and many other domains as well. Thank you so much for teaching us about audit, and I'm so grateful that you will be available for Q&A right after lunch. Details to be announced. A round of applause for Norman Marks. Thank you.